Information Assurance or broader Cyber Security has traditionally been a discipline of identifying threats and vulnerabilities then deploying one of three general categories of countermeasure: technology, process or education. But in more recent times companies are adding a forth element into mix – Cyber Insurance.
Cyber Insurance is growing in the UK – I have seen figures suggesting that up to 10% of businesses have specialist cyber cover and this is growing quickly. The market is already larger in the US.
The insurance industry likes working on clearly defined terms; but, as we all know, Cyber Security is not well defined. In the absence of a definition, I suggest policies will typically cover:
- Harm delivered via a network
- Harm to the network
- Loss of data (privacy)
- Harm caused to another party.
Typically the policies will pay for:
- Loss or damage to assets
- Liability from the loss
- Business interruption
- Reputation damage.
The cover is typically on a share risk basis, covering only part of the asset value being insured – providing the business suitable incentive to ensure they put the appropriate risk management controls in place. This incentive is important, as we all know by now, good security practice will stop the vast majority of common attacks.
However there are times when a well-resourced and motivated attacker will target your business; no matter how well you protect your systems they will find a way in – there is no need to be shy about it, but we need to be open and admit “they beat us”. The risk of it happening to you is (arguably) low, but the cost of mitigation high – a profile insurance is well suited to cover.
Please insure me
Cyber Insurance starts to present a real challenge to the industry. Cyber Insurance starts to give business leaders a seemingly simple “get out of jail” card for dealing with this complex and intangible cyber thing. When they get “done over”, insurance will deal with it. All of which could mean in actuality the business is not dealing with the real issue of poor security practice, and putting basic cyber hygiene in place.
Thankfully, the insurance companies are not that dumb as witnessed by the refusal to take insurance as identified in the BBC article. Firstly, as identified above they look to share the risk, not take it away. Secondly, they look for evidence of good cyber practice before agreeing the terms of a policy.
This is all good news, they will only insure people who present a low risk. You can foresee a time coming when Cyber Insurance becomes not only the norm, but expectation. Companies with poor cyber practice will not be able to get insurance, and without insurance unable to transact business.
We are a long way from that yet, certainly in the UK the Cyber Insurance industry is in its adolescent phase, but as it matures…?
As Cyber Security professionals, should we be encouraging Cyber Insurance by adding it to our risk mitigation mix?